Documente Academic
Documente Profesional
Documente Cultură
Version: 3.3
1. Contents
1. CONTENTS ........................................................................................................................................... 2 2. CONTACT INFORMATION ....................................................................................................................... 4 3. VERSION CONTROL .............................................................................................................................. 5 4. TERMS AND ABBREVIATIONS ................................................................................................................. 5 5. INTRODUCTION ..................................................................................................................................... 6 6. SCOPE................................................................................................................................................. 6 7. ACTIVE DIRECTORY CONTENT BACKUP AND RESTORE METHODS ............................................................. 6 7.1 System State Backup.................................................................................................................... 7 7.2 Active Directory Recycle Bin ......................................................................................................... 8 7.3 Active Directory Snapshot Backups .............................................................................................. 9 7.4 Tombstone Reanimation ............................................................................................................. 10 8. INSTALLING AND CONFIGURING BACKUPS ............................................................................................ 10 8.1 System State Backup.................................................................................................................. 10 8.2 Snapshot Backups ...................................................................................................................... 11 8.2.1 Manual Snapshots ................................................................................................................. 11 8.2.2 Scheduled Snapshots ............................................................................................................ 11 8.3 Enable Active Directory Recycle Bin .......................................................................................... 12 8.4 Configuring Garbage collection process ..................................................................................... 12 8.4.1 Without Recycle Bin ............................................................................................................... 13 8.4.2 With Recycle Bin .................................................................................................................... 13 9. W HEN TO RESTORE............................................................................................................................ 14 10. W HERE TO RESTORE.......................................................................................................................... 15 11. COMMON TASKS ................................................................................................................................ 15 11.1 Remove Domain Controller from DNS........................................................................................ 15 11.2 Remove Domain Controller from Active Directory ...................................................................... 15 11.3 Change the Active Directory Restore Mode (DSRM) Administrator Password .......................... 17 11.4 Verification of a Successful Restore ........................................................................................... 17 11.5 How to Disable Initial Replication ............................................................................................... 18 12. ACTIVE DIRECTORY CONTENT RECOVERY ........................................................................................... 18 12.1 Overview ..................................................................................................................................... 18 12.1.1 Authoritative Restore ............................................................................................................. 18 12.1.2 Non-Authoritative Restore ..................................................................................................... 19 12.2 Recovery through System State Backup .................................................................................... 19 12.2.1 Restore your Backups files to restore from ........................................................................... 19 12.2.2 Non-Authoritative Restore ..................................................................................................... 20 12.2.3 Authoritative Restore ............................................................................................................. 21 12.3 Recovery through tombstone object reanimation ....................................................................... 22 12.3.1 Authoritative Restore through LDP.exe ................................................................................. 23 12.3.2 Authoritative Restore through ADRestore.exe ...................................................................... 24 12.4 Active Directory Recovery through Snapshots ........................................................................... 24 12.5 Active Directory Restore through Recycle Bin ............................................................................ 26 12.6 Restoring Back-Links .................................................................................................................. 28 12.6.1 Restore group memberships through NTDSUTIL and LDIFF ............................................... 28 12.6.2 Restore security principals two times .................................................................................... 29 13. ENTIRE DOMAIN RECOVERY................................................................................................................ 29 14. ENTIRE FOREST RECOVERY................................................................................................................ 30 15. FSMO ROLES RECOVERY .................................................................................................................. 32 15.1 Overview ..................................................................................................................................... 32 15.2 How to find the existing FSMO role holders ............................................................................... 34 15.3 How to Seize a Role ................................................................................................................... 34 15.4 How to Move a Role.................................................................................................................... 35 16. SYSVOL RECOVERY ......................................................................................................................... 35 16.1 Overview ..................................................................................................................................... 35
2/42
3/42
2. Contact Information
IT doesnt matter
Even in our fast growing world of technology, IT became a commodity the same way as electricity did. Its not the software, hardware or technologies that will make the difference, but the way how you design, implement, maintain and use it. Speaking personally, as an architect, software, hardware and technology as such are not that important. They are only a way to create a stable, reliable and secure IT infrastructure to meet all your business and technical needs. Cost reductions, flexibility and future scalability are key words in every project Im involved with.
EDE Consulting
EDE Consulting was formed in 2006. Though a young company, all our IT professionals are senior consultants with 10 to 20 years of experience in IT business. EDE Consulting has extensive experience with everything related to enterprise system management, network management, system migration and integration, and this at consultancy, architectural and implementation level. While you take care of your core business, EDE Consulting looks after your IT infrastructure. We think beyond the technical aspects of IT. If, for example, we design a disaster recovery procedure, this procedure includes all documentation, personal procedures, access lists, and so on. Among our current customers you will find: Fortis, Dexia, ING, Oleon, AGF, KUL, ...
http://www.linkedin.com/pub/peter-van-keymeulen/3/531/783
4/42
3. Version Control
Version V1.1 V3.0 V3.1 V3.2 V3.3 Status Review Final Update Update Update Date 22.10.2010 10.03.2011 28.04.2011 17.11.2011 30.01.2012 Authors Van Keymeulen Peter Van Keymeulen Peter Van Keymeulen Peter Van Keymeulen Peter Van Keymeulen Peter Changes
5/42
5. Introduction
You all know that Active Directory Domain Services (ADDS) is a mission-critical component in your Windows infrastructure. If Active Directory goes down, your network is essentially useless. Consequently, your backup and recovery plans for Active Directory are fundamental to security, business continuity, and regulatory compliance. Windows Server 2008 brings many new features to Active Directory, two of which have a significant impact on your backup and recovery plans: the new Windows Server Backup utility and the ability to take and work with Volume Shadow Copy Service snapshots of Active Directory. In this article I will describe everything you need to know about Active Directory backup and disaster recovery.
6. Scope
This document tackles all possible scenarios, mechanisms and techniques related to Active Directory Backup and Disaster Recovery. V1 version contained the following items: Active Directory Content Backup and Restore through System State Active Directory Content Backup and Restore through Tombstone Reanimation SYSVOL restore FSMO roles restore Restore an Entire Forest Restore an Entire Domain This (V3) version contains the following items: Active Directory Content Backup and Restore through System State Active Directory Content Backup and Restore through Tombstone Reanimation Active Directory Content Backup and Restore through the recycle bin Active Directory Content Backup and Restore through snapshot SYSVOL restore FSMO roles restore Restore an Entire Forest Restore an Entire Domain ADS DRP mode Useful links
6/42
Windows Server 2008R2 AD Backup and Disaster Recovery Procedures 7.1 System State Backup
Windows Server 2008 includes a new backup application named Windows Server Backup. Windows Server Backup replaces the good old NTBACKUP.EXE and is not installed by default. You must install it by using the Add Features option in Server Manager before you can use the Wbadmin.exe command-line tool or Windows Server Backup on the Administrative Tools menu. In Windows Server 2008, the system components that make up system state data depend on the server roles that are installed on the computer. The system state data includes at least the following data, plus additional data, depending on the server roles that are installed: Registry COM+ Class Registration database Boot files Active Directory Certificate Services (AD CS) database Active Directory database (Ntds.dit) SYSVOL directory Cluster service information Microsoft Internet Information Services (IIS) metadirectory System files that are under Windows Resource Protection When you use Windows Server Backup to back up the critical volumes on a domain controller, the backup includes all data that resides on the volumes that include the following: The volume that hosts the boot files, which consist of the Bootmgr file and the Boot Configuration Data (BCD) store The volume that hosts the Windows operating system and the registry The volume that hosts the SYSVOL tree The volume that hosts the Active Directory database (Ntds.dit) The volume that hosts the Active Directory database log files Windows Server 2008 supports the following backup types: Manual backup A member of the Administrators group or the or Backup Operators group can initiate a manual backup by using Server Backup or the Wbadmin.exe command-line tool each time that a backup is needed. If the target volume is not included in the backup set, you can make manual backups on a remote network share or on a volume on a local hard drive. Manual backups made by wbadmin always create a new folder containing the full systemstate backup. This means you need a huge amount of disk space if you want to keep several versions of your backup. The wbengine creates a separate folder containing a timestamp for each backup. Scheduled backup A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe command-line tool to schedule backups. The scheduled backups must be made on a local, physical drive that does not host any critical volumes or on any remote share(even the system volume of another server). Allowing backing up onto system critical volumes can be forced using a registry key. For more information about this feature, please refer to: http://support.microsoft.com/kb/944530 Wbadmin scheduled backups can have local disks as well as a remote share as backup
7/42
8/42
9/42
10/42
To find out all System State Backups stored on your domain controller: Logon to the system with at least domain controller local administrator privileges From the command prompt, execute the following command: Wbadmin get versions
To get the status or a view of the running System State Backup: Logon to the system with at least domain controller local administrator privileges From the command prompt, execute the following command: Wbadmin get status
11/42
To launch a snapshot with a one step, one line command: Logon to the system with at least domain controller local administrator privileges From the command prompt, initiate the following command: ntdsutil snapshot activate instance ntds create quit quit
12/42
13/42
9. When to Restore
When an object is deleted in Windows 2008R2, the DC from which the object was deleted informs the other DCs in the environment about the deletion by replicating what is known as a tombstone(if the recycle bin isnt enabled) or Deleted (with recycle bin). A tombstone or deleted object is a representation of an object that has been deleted from the directory. The tombstone object is removed by the garbage collection processes, based on the tombstone lifetime setting, which by default is set to 180 days by default in Windows 2008R2. A Deleted object will be recycled after the Recycle object lifetime, which is by default equal to the tombstone lifetime, or 180 days in Windows 2008R2. A backup older than the tombstone lifetime set in Active Directory is not considered to be a good backup. Active Directory protects itself from restoring data older than the tombstone lifetime. For example, lets assume that we have a user object that is backed up. If after the backup the object is deleted, a replication operation is performed to the other DCs and the object is replicated in the form of a tombstone. After 180 days, all the DCs remove the tombstone as part of the garbage collection process. This is a process routinely performed by DCs to clean up their copy of the database. If you attempt to restore the deleted object after 180 days, the object cannot be replicated to the other DCs in the domain because it has a USN that is older than the level required to trigger replication. And the other DCs cannot inform the restored DC that the object was deleted, so the result is an inconsistent directory.
14/42
15/42
16/42
11.3 Change the Active Directory Restore Mode (DSRM) Administrator Password
Change Directory Services Restore Mode Administrator password if you dont know it. Every domain administrator can change the DSRM Administrator Password. This account and password can only be used on a Domain Controller booted in the Active Directory Restore mode. To change the password: Start, on the command prompt, ntdsutil Type, without the quotes: set dsrm password and press return to enter the DSRM part of ntdsutil. Type: Reset Password on server <servername>, where servername is the name of the Domain Controller on which we have to perform an AD recovery operation. Enter the new administrator password. Confirm the new administrator password. Close ntdsutil.
17/42
Windows Server 2008R2 AD Backup and Disaster Recovery Procedures 11.5 How to Disable Initial Replication
A domain controller from a domain with more than one domain controllers only advertise himself ad being a domain controller when he was able to perform a first initial replication with another domain controller at boot time. If this is the first domain controller and it is a Windows 2008 operating system. Then you need to add a registry key to avoid AD DS being unavailable until it has completed replication of a writeable directory. Create the following registry key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations With value: DWORD 0 After the forest is recovered completely, you must reset the value of this entry to 1, which requires a domain controller that restarts and holds operations master roles to have successful AD DS inbound and outbound replication with its known replica partners before it advertises itself as domain controller and starts providing services to clients.
18/42
19/42
To do so, there are two possibilities: Install Windows Backup, reconstruct the backup catalog using the wbadmin command and recover your system state o To restore the catalog Wbadmin restore catalog backuptarget:<location> o To get version from which you want to restore Wbadmin get versions o To restore your system state Wbadmin start systemstaterecovery version:<version> -quiet Install Windows Backup and restore your system state using the wbadmin command and the backuptarget: parameter o o To get version from which you want to restore Wbadmin get versions backuptarget:<location> To restore your system state
Wbadmin start systemstaterecovery version:<version> -quiet backuptarget:<location>
For the Catalog process to be successful, the path to the backup files should start at the level where WindowsImageBackup is in the path. If you copy the backup files to a local attached disk, the structure should be as follows: E:\WindowsImageBackup\servername\Backup.. This will not work: E:\ servername\Backup..
12.2.2 Non-Authoritative Restore To restore the entire AD or parts of it non-authoritatively: Be sure you know the Active Directory Restore Mode Administrator Password. If not, please refer to: 11.3. Change the Active Directory Restore Mode (DSRM) Administrator Password for more information about changing this password. To boot an existing domain controller, or new staged Windows 2008 R2 server into the Active Directory Restore Mode: Logon to the system using an account with at least local administrative rights From the command prompt, executer the following task:
20/42
Once the SystemState restore has been finished, select Y to reboot the system Logon to the system using the DSRM account and password Wait till the restore process has been finished. To disable the Active Directory Restore Mode boot option, execute the following command on the command prompt: Bcdedit /deletevalue safeboot Reboot the System
12.2.3 Authoritative Restore Restoring Active Directory content authoritatively follows the same process as a nonauthoritatively restore plus some additional tasks. To restore the Domain Naming Context or parts of it authoritatively: Be sure you know the Active Directory Restore Mode Administrator Password. If not, please refer to: 11.3. Change the Active Directory Restore Mode (DSRM) Administrator Password for more information about changing this password. To boot an existing domain controller, or new staged Windows 2008 R2 server into the Active Directory Restore Mode: Logon to the system using an account with at least local administrative rights From the command prompt, executer the following task: Bcdedit /set safeboot dsrepair Reboot the server Logon to the system using the DSRM account and password Start a command prompt on the command prompt, execute the following command wbadmin /get versions wbadmin start systemstaterecovery version:<version> -quiet
example: wbadmin start systemstaterecovery version:07/27/2010-09:25 -quiet
Once the SystemState restore has been finished, select Y to reboot the system Logon to the system using the DSRM account and password Wait till the restore process has been finished. Disable the initial replication process, for more information, please refer to: 11.5. How to Disable Initial Replication From the command prompt, start ntdsutil and execute all of the following commands: Activate instance ntds Authoritative Restore Restore Object <distinguished name> Q to exit Q to close ntdsutil To disable the Active Directory Restore Mode boot option, execute the following command on the command prompt:
21/42
< Distinguished name > The distinguished name is unambiguous (identifies one object only) and unique (no other object in the directory has this name). By using the full path to an object, including the object name and all parent objects to the root of the domain, the distinguished name uniquely and unambiguously identifies an object within a domain hierarchy. It contains sufficient information for an LDAP client to retrieve the object's information from the directory. For example, a user named James Smith works in the marketing department of a company as a promotions coordinator. Therefore, his user account is created in an organizational unit that stores the accounts for marketing department employees who are engaged in promotional activities. James Smith's user identifier is JSmith, and he works in the North American branch of the company. The root domain of the company is reskit.com, and the local domain is noam.reskit.com. The diagram illustrates the components that make up the distinguished name of the user object JSmith in the noam.reskit.com domain.
Fig 3 Other Examples are: Entire domain: Entire OU: One user: Configuration: dc=rsabb,dc=be,dc=extranet ou=users, dc=rsabb,dc=be,dc=extranet cn=peter, ou=users, dc=rsabb,dc=be,dc=extranet cn=configuration, dc=be,dc=extranet
22/42
In this example, the user named peter01 has been deleted and tombstoned from the AD named: test.be.extranet To reanimate tombstones: Copy the entire DN of the tombstone object From the Browse menu, select modify
23/42
12.3.2 Authoritative Restore through ADRestore.exe Although it isnt that difficult to reanimate deleted objects, its not a user friendly method. People from Sysinternals (a Microsoft company now) developed a tool named ADRestore. The command line version can be downloaded from: http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx To find tombstones: Start, on the command prompt, AdRestore.exe This lists all deleted objects To reanimate tombstones: Start, on the command prompt, AdRestore.exe r Select Yes on the object to restore Remarks: A user account remains disabled after reanimation The password has been lost during reanimation All group memberships are lost during reanimation A lot of attributes are lost too
24/42
(DSA.msc), ADSIEDIT.msc, LDP.exe or others. You can also connect to it by using command line tools such as LDIFDE or CSVDE, tools that allow you to export information from that database. To list AD content through the snapshots using DSAMAIN: First find the exact path of the NDTDS database file in the file structure of the mounted snapshot. So search for the file named: ntds.dit.
First you need to mount a snapshot. Enter the following command on the command line:
Open the ADSI MMC snap-in Select Connect to Select Advanced Enter the LDAP port you specified with the DSAMAIN command Select OK, Select OK Youre now connected to the mounted Active Directory with the content at the time the snapshot backup took place. You can use any LDAP aware tool to connect, browse and export the content. To disconnect from the DSAMAIN from the database, press CTRL+C on the command prompt where you mounted the database.
Export and import Active Directory Objects LDIFDE and CSVDE are tools that can be used to export and import Active Directory objects. You use these tools to connect to your mounted AD snapshot backup to search for and export objects. The exports you created are used later to import these objects in a real life Active Directory.
25/42
To dismount snapshots: Start, on the command prompt: ntdsutil. First you need to mount a snapshot. Enter snapshot Enter List All and decide up on which snapshot you want to use to recover from Enter unmount <snapshot number> You can unmount version after version. The snapshot folder on the hard drive should be disappeared. You can leave ntdsutil
26/42
To restore deleted Active Directory Objects Open the Active Directory Module for Windows PowerShell running in an Administrator security context. Execute the following command to restore a single deleted object : restore-ADObject identity <identity> Where <idnetity> represents the ObjectGUID attributed of the deleted object. For example: restore-adobject identity 99a536bb-84a0-4732-9b52-78c621905ffb You can restore multiple objects at the same time. Actually, you can recover every object or group of objects listed through one of your Get_ADObject commands, simply by adding the outcome to the restore-ADObject as in the following examples: Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' includeDeletedObjects -property objectGUID | restore-ADObject $changeddate = new-object datetime(2011,3,21,18,00,00) [enter] Get-ADObject -filter 'whenchanged gt $changeddate and isdeleted eq $true includeDeletedObjects | restore-ADObject Get-ADObject -filter ' isdeleted -eq $true -and msds-lastknownrdn -eq <OU name>" and lastknowparent eq <FQDN of parent>' -includeDeletedObjects | restoreADObject Get-ADObject -filter 'isdeleted -eq $true -and lastknownparent -eq <FQDN OU>" includeDeletedObjects | restore-ADObject
27/42
Windows Server 2008R2 AD Backup and Disaster Recovery Procedures 12.6 Restoring Back-Links
Restoring all back-links is only necessary when groups or users were deleted from a domain while they were member of groups of other domains. Restoring back-links is not needed when the following is true: Your DCs are running at least Windows Server 2003 SP1, 2008, 2008 R2 and the forest operates at least at the Windows Server 2003 Forest Functional Level. Only users are deleted, or only groups are deleted, never both at the same time The deleted users and groups are in the same domain In variations of this scenario, user accounts, computer accounts, or security groups may have been deleted individually or in some combination. In all these cases, authoritatively restore those objects that were inadvertently deleted. Some deleted objects require more work to be restored. These objects include objects such as user accounts that contain attributes that are back links of the attributes of other objects. Two of these attributes are managedBy and memberOf.
There are three methods: Restore the deleted user accounts, and then add the restored users back to their groups by using Ntdsutil.exe Restore the deleted user accounts, and then add the restored users back to their groups using a script. Authoritatively restore the deleted user accounts and the deleted users' security groups two times. 12.6.1 Restore group memberships through NTDSUTIL and LDIFF For each user that you restore, at least two files are generated. These files have the following format: ar_YYYYMMDD-HHMMSS_objects.txt This file contains a list of the authoritatively restored objects. Use this file with the ntdsutil authoritatative restore "create ldif file from" command in any other domain in the forest where the user was a member of Domain Local groups. ar_YYYYMMDD-HHMMSS_links_usn.loc.ldf If you perform the auth restore on a global catalog, one of these files is generated for every domain in the forest. This file contains a script that you can use with the Ldifde.exe utility. The script restores the backlinks for the restored objects. In the user's home domain, the script restores all the group memberships for the restored users. In all other domains in the forest where the user has group membership, the script restores only universal and global group memberships. The script does not restore any Domain Local group memberships. These memberships are not tracked by a global catalog.
28/42
12.6.2 Restore security principals two times To restore all security principals twice: Authoritatively restore all deleted user accounts and all security groups, for more information please refer to: 12.1.1. Authoritative Restore Reboot the system in normal Active Directory operation mode Wait for the end-to-end replication of the restored users and of the security groups to all the domain controllers in the deleted user's domain and to the forest's global catalog domain controllers. Repeat step 1,2 and 3 once again. If the deleted users were members of security groups in other domains, authoritatively restore all the security groups that the deleted users were members of in those domains. Or, if system state backups are current, authoritatively restore all the security groups in those domains.
29/42
Remove all remaining Domain Controllers If any, power down all existing domain controllers for the domain to recover. Be sure they never come back on line.
To recover the system state: Restage a computer on equivalent hardware and equivalent number of partitions as the original failed domain controller. Perform an authoritative System State restore. For more information please refer to: 12.1.1. Authoritative Restore
To clean up Active Directory: Using ntdsutil, remove all but the restored domain controller for the restored domain from the domain. The goal is to end up with a domain in which only the recovered domain controller remains for the recovered domain. When using ntdsutil, connect to the recovered domain controller. Keep in mind that the domain is not reachable. This means that the MMC snap in Active Directory Users and Computers would not work. So use ADSI editor to remove objects from the AD. To remove a DC from Active Directory, please refer to: 11.2. Remove Domain Controller from Active Directory Unless you plan to use the same names as the original servers, start cleaning out DNS for each domain controller removed from the domain. For more information, please refer to: 11.1. Remove Domain Controller from DNS Be sure that all domain wide FSMO roles are now maintained on the recovered domain controller. To seize the FSMO roles, refer to: 15. FSMO Roles Recovery. Reboot the system Validate the successful restore, please refer to: 11.4.Verification of a Successful Restore. Add Additional domain controllers: Add additional domain controllers through normal staging procedures using the most recent domain controller profile.
30/42
31/42
Domain
PDC Emulator
Domain
Infrastructure Master
Domain
Seizing, or forcing transfer, as it is sometimes called, is a process carried out without the cooperation of the original role holder. In other words, when the original role holder has suffered a disaster, you can seize the role, forcing it to be moved to another DC within the domain/forest.
32/42
The primary consideration is the permanence of the outage. Because of the chance of duplicate schema changes being propagated throughout the environment, a seizure of the schema master role should be carried out only if the failed role holder will never come back online. Because of the infrequent requirement for a schema master role and the implications of a seizure, you can usually live with the outage during the period of time it takes to restore the DC holding the role. However, if you require the immediate use of the schema master role or if the original role holder will never be brought back into the Windows 2008 environment, a seizure can be carried out.
Recovering the Domain Naming Master
The primary consideration is the permanence of the outage. Because of the chance of duplicate domain naming changes being propagated throughout the environment, a seizure of the domain naming master role should be carried out only if the failed role holder will never come back online. Because of the infrequent requirement for a domain naming master role and the implications of a seizure, you can usually live with the outage during the period of time it takes to restore the DC holding the role. However, if you require the immediate use of the domain naming master role or if the original role holder will never be brought back into the Windows 2008 environment, a seizure can be carried out.
Recovering the RID Master
Consider carefully before you decide to perform a seizure on an RID master. Because of the risk of duplicate RIDs on the network, the sever that originally housed the RID master role should never come back online.
Recovering the PDC Emulator
Because the role of the PDC emulator is not quite as critical as those previously mentioned, the act of seizing the role does not have the ramifications of the others. If you choose to seize the PDC emulator role, you do not need to completely rebuild the original role holder before it can participate in the Windows 2008 environment again. As a result, the decision to seize the PDC emulator role has fewer implications to your environment and is generally considered a standard practice in the event of a PDC emulator failure, particularly in a mixed mode environment. The only real issue to consider is whether you are functioning in a mixed mode environment with NT 4.0 BDCs. For the BDCs to be aware of the changes, a full synchronization of the BUILTIN database with the new PDC emulator will occur.
Recovering a Global Catalog
This is not necessary when all domain controllers through the forest are Global Catalog. If not, just enable the GC role on another remaining domain controller.
33/42
This is not necessary when all domain controllers through the forest are Global Catalog. If not, simply seize the Infrastructure Master role to another remaining domain controller.
Type: Select Operation Target Type: List roles for connected server to be sure all seized roles are now on your domain controller Close ntdsutil Restart the netlogon service
34/42
Windows Server 2008R2 AD Backup and Disaster Recovery Procedures 15.4 How to Move a Role
To move a role: Start, on the command prompt on a remaining domain controller, ntdsutil Type, without the quotes: roles and press return to enter the FSMO Maintenance part of ntdsutil Type Connections Type Connect to server <local dc name> Type q Type: Transfer <role> , where the role could be one of the following: o o o o o PDC Domain naming master Infrastructure master RID Master Schema master
Type: Select Operation Target Type: List roles for connected server to be sure all seized roles are now on your domain controller Close ntdsutil Restart the netlogon service
SYSVOL Replication has been changed in Windows 2008 If the domain's functional level is Windows Server 2008 and the domain has undergone SYSVOL migration, DFSR will be used to replicate the SYSVOL folder. If the first domain controller in the domain was promoted directly into the Windows Server 2008 functional level, DFSR is automatically used for SYSVOL replication. In such cases, there is no need for migration of
35/42
Once the SystemState recstore has been finished, select Y to reboot the system Logon to the system using the DSRM account and password Wait till the restore process has been finished. At this point, SYSVOL has been restored authoritatively through NTDS. You now have the possibility to authoritatively restore the Active Directory as well. Skip the next step if you dont want the restore AD. From the command prompt, start ntdsutil and execute all of the following commands: Activate instance ntds Authoritative Restore Restore Object <distinguished name> Q to exit Q to close ntdsutil To disable the Active Directory Restore Mode boot option, execute the following command on the command prompt: Bcdedit /deletevalue safeboot Reboot the System
36/42
NTDSUTIL can be used to compact the Active Directory database to another location followed by a copy and overwrites of the original database file with the new compacted database file: On the domain controller, start a command prompt on the command prompt, execute the following command o net stop NTDS Select Y to stop all dependency services From the command prompt, start ntdsutil Select Activate instance ntds Select Files Create a compacted copy of the current database onto another location by using the command: compact to d:\ From another command prompt, copy the new compacted database file to it original location (overwrite the original database file): copy D:\ntds.dit E:\NTDS_AD\ntds.dit From the NTDSUTIL command, start a checksum and be sure that there are no corruptions found. The AD database must be restored when any corruption occurs at this point of the repair operation. This means that the corruptions are too complex to solve with the compact command. Applies to event:
Event Type: Error Event Source: NTDS ISAM Event Category: Database Page Cache Event ID: 474 Date: 21/09/2009 Time: 13:06:02 User: N/A Computer: <servername> Description: NTDS (420) NTDSA: The database page read from the file "e:\NTDS_AD\ntds.dit" at offset 1557479424 (0x000000005cd54000) for 8192 (0x00002000) bytes failed verification due to a page checksum mismatch. The expected checksum was 2951061134 (0xafe59e8e) and the actual checksum was 2951061135 (0xafe59e8f). The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
37/42
38/42
RPO Defined 5 The Recovery Point Objective (RPO) is the point in time to which you must recover data as
4 5
Definition comes from Wikipedia: http://en.wikipedia.org/wiki/Recovery_Time_Objective Definition comes from Wikipedia: http://en.wikipedia.org/wiki/Recovery_point_objective
39/42
To address one or both above issues: Some manual interventions in both cases. Install additional domain controllers on the remaining sites
40/42
41/42
42/42